« Automatic Patch-Based Exploit Generation | Main | Whitepaper: Access through access by Brett Moore, attacking Microsoft Access »

Developers at fault? SQL Injection attacks lead to wide-spread compromise of IIS servers

"There’s been a lot of noise and violent thrashing over the last couple days regarding a flaw that was originally believed to be a flaw in Microsoft’s IIS (Internet Information Server), but has since been pointed out as simply a well thought out SQL Injection attack.

For those of you who aren’t familiar with SQL Injection attacks, it’s a pretty well known web application attack vector that exists in high volume on dynamic applications, say for instance, on your banking site. SQL Injection allows an attacker to subvert the logic of the currently running SQL query in order to interact with data more interesting to the attacker, bypass authentication/authorization, or run arbitrary commands on the operating system of the database server. "

Article Link: http://blogs.zdnet.com/security/?p=1059


Feed You can follow this conversation by subscribing to the comment feed for this post.

All Comments are Moderated and will be delayed!